Moriah & Sembawang B-P Churches
PERSONAL DATA PROTECTION POLICY

1. PURPOSE
 
1.1 This policy is effected in conjunction with the Personal Data Protection Act (PDPA) which establishes various rules governing the collection, use, disclosure and care of personal data.
 
1.2 Personal data refers to data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which the organisation has or is likely to have access. Personal data may be stored in electronic and non-electronic forms.
 
1.3 This policy shall govern the collection, use, disclosure and care of personal data in Moriah & Sembawang B-P Churches.
 
2. SCOPE
 
2.1 This policy shall apply to personal data of members and friends of both Moriah & Sembawang B-P Churches.
 
2.2 Members shall have the same definition as per our Church Constitution and refers to persons who have been baptized in or transferred their church memberships to either Moriah or Sembawang B-P Churches.
 
2.3 Friends generally refers to persons who attend either Moriah B-P Church or Sembawang B-P Church on a regular basis and to whom pastoral care may be given.
 
3. INTENDED AUDIENCE
 
3.1 This policy is primarily intended to all persons employed or serving in Moriah and Sembawang B-P Churches who may access and handle personal data of members and friends in the course of work or church ministries/activities in Moriah and/or Sembawang B-P Churches. All such persons are required to comply with this policy and the PDPA.
 
3.2 It may also be made accessible to any individual who would like to know the Church policy on members’ and friends’ personal data protection.
 
4. COLLECTION OF PERSONAL DATA
 
4.1 Moriah and Sembawang B-P Churches shall collect, use or disclose personal data generally for the purpose of maintaining the Membership and Friends Registry, the provision of Pastoral Care, Church Administration, Church ministries and activities.
 
4.2 Personal data should not be collected unnecessarily or more than necessary and only pertinent personal data related to the purposes required by the Church shall be collected.
 
5. SEEKING CONSENT
 
5.1 Moriah & Sembawang B-P Churches shall collect, use or disclose personal data only with the individual's consent (with some exceptions as provided by the PDPA) provided the individual has been notified of the purpose of collection, use and/or disclosure.
 
6. NOTIFYING PURPOSE
 
6.1 Where personal data is collected, the target individual must be notified of the purpose of such collection, use and/or disclosure. The following notice shall be included in all data collection forms or other instruments:
 
NOTICE: Please be informed that the Church is governed by the PDPA. It will use the data it collects for maintaining the Membership & Friends’ Registry, Pastoral Care, Church Administration & Church Ministries & Activities. If you wish to withdraw consent for the use of your data, you may write to the Data Protection Officer at office@moriahbpc.org.
 
6.2 If personal data is planned to be collected, used and/or disclosed for any purpose other than the above, a written request shall be made to the Data Protection Officer who shall then seek approval from the Church Session. Upon approval by the Church Session, personal data collection may then proceed for such purpose.
 
6.3 In all cases, individuals must be notified of the purpose of personal data collection, use and /or disclosure and must be given the option to withhold / withdraw consent for such purpose.
 
7. PROTECTION
 
7.1 Moriah & Sembawang B-P Churches shall secure the personal data collected from members and friends in the following manner.
 
7.2 Electronic Membership and Friends’ Registry
 
7.2.1 Moriah & Sembawang B-P Churches maintain an electronic membership and friends’ registry. As far as practicable, Moriah & Sembawang B-P Churches wish to have an accurate and complete registry of members and friends.

7.2.2 The electronic membership and friends’ registry shall be secured by means of strong passwords. A strong password shall consist of a minimum of 6 alphanumeric characters and shall not be revealed / disclosed to non-authorized persons.

7.2.3 An access matrix shall be approved by the Session and shall serve as an authorized document to define the access privilege to the electronic membership and friends’ registry. Only individuals documented in the access matrix shall have access to the electronic membership and friends’ registry.

7.2.4 The access matrix should be reviewed and approved by the Church Session at least annually or whenever there is a change of access privileges in order to balance administrative efficiency & effectiveness as well as fulfilling the basic principles below.

7.2.5 Basic principles:
 
7.2.5.1 Authorisation of access should be based on the "least privilege principle" or in other words, on a "need-to-know" and/or "need-to-update" basis.

7.2.5.2 The number of persons who are able to update information should be restricted in order to minimise errors & also to promote accountability & traceability.

7.3 Hardcopies
 
7.3.1 Unless approved by the Church Session for exceptional circumstances, printing of membership and friends’ records / listing is strictly not allowed owing to the inherent risks arising from easy circulation of hardcopies. Where exceptional approval is given, the individual:
 
7.3.1.1 shall exercise all necessary and due care to prevent unauthorized access by unintended parties, and
7.3.1.2 shall immediately destroy the hardcopies when no longer required for the original purpose.
 
7.4 Distribution

7.4.1 Under no circumstances shall members’ and friends’ personal data, or part thereof, be distributed (either in electronic or non-electronic form) to unauthorized persons or for purposes other than for those notified to the individuals.
 
7.4.2 From time to time, any member of the Church Session may authorise personal data of members and friends, or part thereof, to be shared to leaders of various Church Ministries, provided the original purpose for which the personal data was collected is met (viz, paragraph 6). In such cases, the distribution of such information shall be channeled through authorized staff of the Church Office of Moriah & Sembawang B-P Churches. Church Ministry leaders shall not further distribute, by any means (e.g. making copies, printing, forwarding by email, etc ...), any personal data of members and friends.
 
7.5 Retention & Disposal

7.5.1 All personal data and corresponding consent forms (electronic or non-electronic) shall be retained until the purpose for which that personal data was collected is no longer being served by the retention of the personal data.

7.5.2 When no longer required, all documents containing personal data in either electronic or non-electronic form shall be appropriately disposed of (e.g. hardcopies are shredded, etc).

8. For more detailed requirements of the PDPA, refer to http://www.pdpc.gov.sg/.

8.1 This Policy shall prevail except in areas where this policy is silent or is less stringent than the PDPA, in which case the PDPA shall take precedence.

8.2 This policy may be amended as and when required by the Church Session.