PERSONAL DATA PROTECTION ACT POLICY
The purpose of this Policy is to inform you of how Nanyang Law LLC (“NYL”) handles personal data. The way NYL carries out this is subject to the Personal Data Protection Act (No. 26 of 2012) of Singapore (“PDPA”).
The objectives of this Policy are to:
(a) Provide a set of privacy and personal data protection standards that govern our procedures and protect the privacy of personal data.
(b) Describe the ways in which NYL collect, use, disclose and retain personal data.
(c) Ensure that NYL complies with the PDPA.
1 Personal Data
“Personal Data” is defined under the PDPA to mean data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which an organisation has or is likely to have access.
Examples of Personal Data NYL collects will include but is not limited to:
your name, address, telephone and facsimile numbers, email address, NRIC/Passport number, nationality, bank account details, details of family members, current occupation, connections to NYL, details of assets.
2 NYL’s Collection of Personal Data
NYL may collect Personal Data in the following ways, including but not limited to:
(a) when you submit documents or information for an employment application, such as a CV or when such information is received from employment agencies and references;
(b) during the course of you engaging our services;
(c) when you provide information or documents to us;
(d) from public information sources, third party sources;
(e) via information searching services;
(f) Photographs, videos taken by us or our representatives when you attend events hosted by NYL;
(g) CCTV recordings from NYL premises;
(h) via information communicated to us over the phone, fax, email, face-to face meetings, letters, or other modes of contact;
(i) during events organised by NYL; and
(j) when you submit Personal Data for any other reason.
3 Purposes of Collect, Use and Disclose Personal Data by NYL
Generally, NYL collects, uses and discloses Personal Data for the following purposes:
(a) providing of NYL’s services;
(b) conducting identity checks, payment processing, NYL administrative and business matters(including assessing employment applications and related qualifications);
(c) providing legal updates and other information relating to NYL
(d) evaluating and improving NYL’s services
(e) compliance with the relevant laws and regulations, guidelines, practice directions, policies, procedural and regulatory requirements (which may extend to know-your-client and related reviews) issued by relevant authorities;
(f) responding to feedback and queries; and
(g) any other purpose relating to any of the above.
NYL may from time to time inform you of any other purpose which NYL will use, collect and disclose your Personal Data if required.
4 NYL’s disclosure of Personal Data to Third Parties
NYL will not disclose your Personal Data to third parties without first obtaining your consent permitting us to do so. However, please note that NYL may disclose your Personal Data to third parties without first obtaining your consent in certain situations. For more information on the exceptions, you are encouraged to peruse the Second, Third and Fourth Schedules of the PDPA which is publicly available at http://statutes.agc.gov.sg.
Where NYL discloses your Personal Data to third parties with your consent, we will employ our best efforts to require such third parties to protect your Personal Data.
5 Data Protection Officer (“DPO”)
For further information about this Policy or to access our complaint handling procedure, please address your correspondence to:
Further details of our policy can also be found in the link here.(content below will be in the separate link)
1. Consent Obligation
1.1 Consent Required
NYL shall not collect, use or disclose an individual’s personal data unless:
(a) the person gives, or is deemed to give, consent to the collection, use or disclosure of his/her personal data; or
(b) the collection, use or disclosure of the individual’s personal data without consent is required or authorized under the PDPA or other written law.
1.2 Provision of Consent
1.2.1 NYL shall not, as a condition of providing a service to an individual, require an individual to consent to the collection, use or disclosure of your personal data beyond what is reasonable to provide the service.
1.2.2 NYL shall not obtain or attempt to obtain an individual’s consent for collecting, using or disclosing personal data by providing false or misleading information with respect to the collection, use or disclosure of personal data, or use deceptive or misleading practices.
1.3 If the person provides NYL with any Personal Data relating to a third party, by submitting such Personal Data to NYL, the person shall represent to NYL and must ensure that you have notified the third party of the terms of this Policy and obtained their consent.
2. Deemed Consent
2.1 An individual is deemed to consent to the collection, use or disclosure of his/her personal data for a purpose if:-
(a) the individual voluntarily provides personal data to NYL for that purpose, albeit without actually expressly providing his/her consent; and
(b) it is reasonable that the individual would voluntarily provide the data.
2.2 If an individual gives, or is deemed to give, consent to the disclosure of personal data by NYL to another organisation for a particular purpose, then he/she is deemed to consent to the collection, use or disclosure of his/her personal data for that particular purpose by such other organisation.
3. Withdrawal of Consent
3.1 On providing reasonable notice to NYL, an individual may at any time withdraw any consent given, or deemed to be given, in respect of NYL’s collection, use or disclosure of personal data for any purpose.
3.2 The individual may submit the withdrawal of consent via mail, email or by completing the Withdrawal of Consent Form and submit it to NYL.
3.3 On receipt of such notice, NYL shall inform the individual of the likely consequences of withdrawing your consent.
3.4 NYL shall have up to 30 days to process and update the individual’s request.
3.5 NYL shall not prohibit an individual from withdrawing your consent to the collection, use or disclosure of personal data.
3.6 If an individual withdraws his/her consent, then NYL shall cease (and cause its data intermediaries and agents to cease) collecting, using or disclosing your personal data unless otherwise required under the PDPA or other written law.
3.7 Although an individual may have withdrawn consent for the collection, use or disclosure of your personal data, NYL may retain his/her personal data for any necessary purpose with NYL and in accordance with any NYL Record-keeping practices.
4. Purpose Limitation Obligation
4.1 Limitation of Purpose
NYL may collect, use or disclose an individual’s personal data only for purposes:
(a) that a reasonable person would consider appropriate in the circumstances; and
(b) where the individual has been informed in accordance with clause 4.2 of this Policy, to the extent applicable.
4.2 Notification of Purpose
NYL shall provide an individual with the following information whenever we seek to obtain your consent toc the collection, use or disclosure of your personal data, except under circumstances where your consent is deemed or is not required:-
(a) the purpose(s) for the collection, use or disclosure of the personal data, on or before collecting the personal data;
(b) any other purpose(s) for the use or disclosure of the personal data of which he/she has not been informed under clause 4.2.1 of this Policy, before the use or disclosure of the personal data for that purpose; and
(c) on request by the individual, the contact details of the NYL Data Protection Officer (“DPO”), who can answer his/her questions about the collection, use or disclosure of personal data.
5. Access and Correction Obligation
5.1 Access to Personal Data
On an individual’s request, and subject to the restrictions set forth in the PDPA, NYL shall, as soon as reasonably possible, provide him/her with:-
(a) his/her personal data that is in NYL’s possession or control; and
(b) information about the ways in which the personal data has or may have been used or disclosed by NYL within a year before the data of your request.
5.2 NYL may charge a minimum fee for access to the individual’s personal data to offset the administrative costs in complying with such requests.
5.3 Correction of an individual’s Personal Data
5.3.1 An individual may request NYL to correct an error or omission in his/her personal data that is under NYL’s control or possession. Unless NYL is satisfied on reasonable grounds that a correction should not be made or the law states otherwise. NYL shall:
(a) correct the personal data as soon as practicable; and
(b) send the corrected personal data to every organisation to which your personal data was disclosed by NYL within a year before the data the correction was made, unless that other organisation does not need the corrected personal data for any legal or business purpose.
5.3.2 NYL is not required to correct or alter an opinion, including a legal or an expert opinion.
6. Accuracy Obligation
NYL shall make reasonable efforts to accurately record an individual’s personal data as given by him/her or his/her representatives and make reasonable efforts to ensure that the personal data is accurate and complete, if the personal data:
(a) is likely to be used by NYL to make a decision that affects the individual; or
(b) is likely to be disclosed by NYL to another organisation.
7. Protection Obligation
7.1 NYL shall protect personal data in its possession or control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or any other similar risks.
7.2 NYL shall do the following to fulfill its protection obligation:
(a) Requiring employees to be bound by confidentiality obligations in their employment agreements;
(b) Implementing robust policies and procedures (with disciplinary consequences for breaches) regarding confidentiality obligations;
(c) Conducting regular training sessions for staff to impart good practices in handling personal data and strengthen awareness of threats to security of personal data; and
(d) Ensuring that only the appropriate amount of personal data is held, as holding excessive data will also increase the efforts required to protect personal data. Examples of physical measures an organisation may use to protect personal data;
(e) Marking confidential documents clearly and prominently;
(f) Storing confidential documents in locked file cabinet systems;
(g) Restricting employee access to confidential documents on a need-to know basis;
(h) Using privacy filters to minimise unauthorised personnel from viewing personal data on laptops;
(i) Proper disposal of confidential documents that are no longer needed, through shredding or similar means;
(j) Implementing an intended mode of delivery or transmission of personal data that affords the appropriate level of security (e.g. registered post instead of normal post where appropriate);
(k) Providing a summary of the personal data contained in storage so that personal data is accessed only when necessary; and
(l) Confirming that the intended recipient of personal data is the correct recipient to avoid undue disclosure of personal data.
7.3 NYL shall implement the following measures to protect personal data:
(a) Ensuring computer networks are secure;
(b) Adopting appropriate access controls (e.g. considering stronger authentication measures where appropriate);
(c) Encrypting personal data to prevent unauthorised access;
(d) Activating self-locking mechanisms for the computer screen if the computer is left unattended for a certain period;
(e) Installing appropriate computer security software and using suitable computer security settings;
(f) Disposing of personal data in IT devices that are to be recycled, sold or disposed;
(g) Using the right level of email security settings when sending and/or receiving highly confidential emails;
(h) Updating computer security and IT equipment regularly; and
(i) Ensuring that IT service providers are able to provide the requisite standard of IT security
8. Retention Limitation Obligation
NYL shall cease to retain documents containing an individual’s personal data, or remove the means by which the personal data can be associated with him/her, as soon as it is reasonable to assume that:
(a) the purpose for which the personal data was collected is no longer being served by retention of personal data; and
(b) retention is no longer necessary for legal or business purposes.
9. Transfer Limitation Obligation
NYL shall not transfer an individual’s personal data outside of Singapore except in accordance with the requirements of the PDPA.
10. Complaints Handling Procedure
10.1 Should an individual be unhappy with NYL’s treatment of his/her personal data or if they believe there has been a breach of this Policy, they shall contact NYL’s Data Protection Officer (details in clause 15 below) and clearly set out the nature of their concerns.
10.2 The complaint shall be reviewed and the individual shall be provided with a written response within fourteen (14) working days.
11. Compliance With This Policy
11.1 NYL implements this Policy through the use of proper procedures and staff training to ensure compliance with this Policy.
11.2 NYL shall ensure that all employees and any representatives who deal with personal data are aware of the standards of this Policy.
11.3 NYL requires that all of its staff and representatives with access to personal data maintain confidentiality concerning that personal data.
12. Review of NYL’s Data Protection Policy
NYL ensures that this Policy remains current and continues to fulfil its objectives. This is achieved through periodical reviews, having regards to:
(a) the need to actively consider privacy and data protection issues as new services are developed or offered;
(b) any guidance issued in relation to the PDPA; and
(c) any changes to the PDPA.