Introduction
The Singapore Personal Data Protection Act 2012 (the “PDPA”) protects the personal data of individuals, i.e. natural persons.
We are responsible for the personal data of all individuals in our possession or under our control. Every current, former and prospective client, employee, business partner (including agents and third party service providers) and any other individuals who have dealings with [Homekeeper International Pte Ltd] and our other group companies (collectively, the “Company”, "we", "our" or "us") has legal rights to personal data protection. We respect these rights when collecting, using, transferring, storing, accessing and correcting personal data. It is our policy to comply with the requirements of the PDPA. In doing so, we ensure our adherence with industry standards pertaining to the security and confidentiality of personal data. In case of doubt, we shall consider what a reasonable person would deem appropriate in the circumstances. A strong personal data protection policy further boosts our clients’ confidence in the discretion of our services and enhances our public image.
The PDPA applies to activities involving personal data in Singapore. Where personal data is collected overseas and subsequently transferred into Singapore, the PDPA will apply in respect of the activities involving the personal data in Singapore. Personal data collected outside Singapore may be subject to the data protection laws of the jurisdiction in which it was collected, if any, and all collection carried out by the Company shall be in accordance with applicable laws. Compliance with foreign data protection laws may affect regulatory evaluation of our compliance with the PDPA.
The PDPA is intended to be the baseline law which operates as part of Singapore law. It does not supersede existing statutes, such as the Security and Futures Act and the Financial Advisers Act, but will work in conjunction with them and the common law. To the extent that any PDPA provisions on data collection, protection, use and disclosure is inconsistent with the provisions of other written laws, note that the provisions of the other written law shall prevail.
This Policy sets out how we manage personal data.
Personal Data
Personal data refers to data, whether true or not, about a natural person who can be identified from that data, or from that data and other information to which we have or are likely to have access. The data may be in electronic or non-electronic form.
Examples (non-exhaustive) of such personal data include:
- Name;
- NRIC, FIN, passport or other identification numbers;
- Mobile, residential or other contact numbers;
- Residential address;
- Email address;
- Age/Date of birth;
- Education background;
- Employment history;
- Profession/occupation;
- Income levels;
- Financial information, such as amount of assets under management or transaction-related information;
- Personal preferences;
- Photos and videos;
- Cookies/IP addresses;
- Performance indicators.
In the case of individuals who have passed away within 10 years from the date of contemplation, only provisions relating to disclosure and protection of his/her personal data shall still apply. The deceased individual’s rights under these provisions may be exercised by his/her personal representative or nearest relative. Once more than 10 years have passed since the death of the individual, no data protection provisions apply anymore.
Business contact information is not subject to the rules on data protection, collection, use and disclosure. Business contact information means an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his/her personal purposes.
Information and Consent
General Requirement for Informed Consent
We shall not collect, use or disclose an individual’s personal data beyond what is reasonable to provide our service(s) or product(s) to him/her or to work with him/her.
We shall inform the individual of the purpose(s) for collecting, using and disclosing of his/her personal data and obtain consent for the collecting, using and disclosing of the personal data before any of his/her personal data is collected, used or disclosed for such purpose. Specifically:
- We must inform the individual of the purposes for which we collect, use and/or disclose his/her personal data before the individual gives his/her consent for such collection, use and/or disclosure. The information we provide concerning the purposes shall be, as far as is reasonably practicable, true, accurate and complete;
- On request by the individual, we shall provide the business contact information of our Compliance Officer; and
- The individual must give consent for the purposes for which we collect, use and/or disclose his/her personal data prior to such collection, use and/or disclosure, preferably in writing.
We shall inform the individual and obtain his/her consent for any other purpose of the use or disclosure of his/her personal data of which he/she has not yet been informed and agreed to, prior to such use or disclosure.
As best practice, we shall use our best endeavours to obtain written consents, such that Whatsapp is also considered as valid. In situations where we receive verbal consent, we shall use our best endeavours to document such verbal consent internally for records purposes.
An individual is deemed to consent to the collection, use or disclosure of personal data about him/her by us for a purpose not specifically informed to him/her, if:
- the individual, without actually giving consent, voluntarily provides the personal data to us for that purpose; and
- it is reasonable that the individual would voluntarily provide the data.
Unless this Policy indicates that deemed consent is present, the Compliance Officer must confirm the presence of deemed consent.
There are certain exemptions from the consent requirement. These are set out below in Exemptions from the Consent Requirement.
In relation to Clients & Prospective Clients
Deemed Consent from Prospective Clients
In the case where, during prospecting and preliminary discussions, the prospective client voluntarily provides his/her personal data with a view to engaging with our maid search services, he/she is deemed to consent to Homekeeper collecting, using and disclosing this personal data for presenting our maid search functions to him/her and providing preliminary assessments.
Representation of Third Party Consents
In order for us to provide our maid service services to clients, clients are required to provide us with personal data of certain third party individuals, e.g. that of their family members, persons they have business dealings with, or persons that are a source of their wealth.
We are held to ensure that personal data on such persons has been collected and is disclosed lawfully by the client. Consequently, the PDP Annex contains a representation and warranty by the client that such third party individuals have provided consent to the client’s provision of their personal data to us.
Third Party Personal Data and Deemed Consent
During communications with clients or preliminary discussions with prospective clients about their engaging our maid search services, it may be the case that, in order for us to carry out our work effectively and in accordance with applicable laws, the client or prospective client has to disclose to us personal data of third party individuals we do not deal directly with. For example, he/she may have to disclose to us personal data about his/her family members who contribute to his/her wealth, his/her family members he/she provides for or personal data about his/her business partners.
It is the responsibility of the client or prospective client (as applicable) to ensure that his/her disclosure of such third party personal data for the purpose(s) of possibly establishing a business relationship with us and/or engaging our services and/or purchasing our products is consented to by such third parties, in accordance with applicable laws. Generally, however, we should also ensure that the client or prospective client has obtained the consent from the third party individuals to use and disclose their personal data for our intended purposes, before we collect, use or disclose such personal data.
If the client or prospective client has consent from the third parties to use and/or disclose their personal data for the purpose of engaging in preliminary discussions with us and/or engaging our services and/or purchasing our products, such third parties are also deemed to consent to our collection and use of their personal data for the same purposes. Notably, the third party may be deemed to consent to the disclosure of his/her personal data by the client or prospective client (as applicable) for the purposes of the client or the prospective client engaging our services, if the third party voluntarily gave his/her personal data to the client or prospective client for this purpose and it is reasonable that such third party would voluntarily provide this data.
Exemptions from the Consent Requirement for Data Collection, Use & Disclosure
Subject to applicable laws, notable exemptions from the consent requirement for collection, use and/or disclosure of personal data include the following:
- when the personal data is publicly available;
- when the use and/or disclosure is necessary for any purpose which is clearly in the interests of the individual, if consent for its use or disclosure cannot be obtained in a timely way or the individual would not reasonably be expected to withhold consent;
- when such data collection, use and/or disclosure is necessary for evaluative purposes;
- when such data collection, use and/or disclosure is necessary for any investigation or proceedings, if it is reasonable to expect that seeking the consent of the individual would compromise the availability or the accuracy of the personal data;
- when the disclosure is to a public agency and such disclosure is necessary in the public interest; or
- specifically in relation to clients, prospective clients and their representatives:
- for the purposes of complying with our anti-money-laundering and countering-the-financing-of-terrorism (“AML/CFT”) obligations, such as in the course of our performing client due diligence, we may, directly or through a third party, collect, use, and disclose personal data of the client, prospective client, individuals appointed to act on behalf of the client or persons holding executive powers at corporate clients without the respective individual’s consent; or
- specifically in relation to current or prospective employees:
- when the personal data is included in a document produced in the course, and for the purposes, of the individual’s employment, business or profession; and collected for purposes consistent with the purposes for which the document was produced; or
- when the personal data is collected by us and the collection is reasonable for the purpose of managing or terminating our employment relationship with the individual.
Confidentiality
We are committed to implementing strict physical, electronic, administrative and procedural safeguards to protect personal data in our possession or under our control against loss, misuse, damage and unauthorized access, modifications or disclosures, at each stage of data collection, processing, retention and disclosure including (without limitation):
- requiring all employees to be bound by confidentiality obligations in their employment agreements;
- implementing robust staff policies and procedures (with disciplinary consequences for breaches) regarding confidentiality obligations;
- storing confidential documents in locked file cabinet systems;
- restricting employee access to confidential data on a need-to-know basis;
- restricting access to our physical premises only to authorized personnel;
- implementing sophisticated information technology software to ensure that:
- our information systems are password-protected;
- sensitive data is segregated and access limited to authorized users only; and/or
- transmissions of sensitive data are securely encrypted.
Involvement of Third Parties
Data Intermediaries
In the course of our business operations, personal data in our possession or under our control may be collected, processed and disclosed, pursuant to written contracts, on our behalf by third parties such as the following:
- other group companies;
- third party agents, contractors or service providers who provide operational services such as courier services, telecommunications, information technology, payment, printing, billing, processing, technical services, security and other services; and
- professional advisers such as auditors and lawyers.
Such parties are our data intermediaries.
The Compliance Officer shall ensure, via our contracts with such third parties, that the data intermediaries handle the personal data in accordance with this Policy, particularly in relation to the protection and retention of personal data.
Introducers
In the course of our business dealings with Introducers, where we seek to collect and use personal data about prospective clients from them, we shall provide the Introducers with sufficient information concerning the purposes for which we seek the personal data, to allow the Introducers to determine whether their disclosure of the personal data of prospective clients to us would be in accordance with applicable laws.
Processing of Personal Data for Other Organisations
Where we handle personal data on behalf of any other organisation, including but not limited to other group entities, this Policy shall apply to our handling of such personal data, too.
Transfer to Other Jurisdictions
As a matter of practice we do not transfer personal data in our possession or under our control outside of Singapore.
In the event such a transfer is approved by management to proceed, prior to such transfer, the Compliance Officer shall take reasonable steps to verify that the overseas receiving party(s) have in place, a standard of protection for the transferred data equal to or higher than that set out in this Policy, in adherence with applicable laws and cross-border data protection policies.
When personal data is transferred overseas, the Compliance Officer shall inform the affected individuals of the extent to which their personal data will be protected in the foreign jurisdiction(s) to which the data will be transferred and seek their consent.
Collection
We shall not collect any personal data on any prospective client, client, prospective employee, employee, business partner or any other individual without having obtained the individual’s consent and only for purposes the individual has been informed about, unless an exemption provided by statutory regulations, in particular in the PDPA and the Notice to Capital Markets Intermediaries on Prevention of Money Laundering and Countering the Financing of Terrorism (“SFA04-N02”), as indicated in this Policy applies.
Automated Monitoring
In our operations we may monitor and record physical and communicative interaction concerning or involving the Company, including in the following manners:
- monitoring and/or recording of voice calls with clients and banks for employee training and performance evaluation, identity verification and, most of all, control purposes;
- monitoring and/or recording of internet use; and
- carrying out closed circuit television cameras (“CCTVs”) surveillance and conducting security clearances to manage the safety and security of our premises and services.
Generally, we shall inform all concerned individuals that we are carrying out the monitoring of and recording of information, be it data, video or voice.
The PDP Annex, the EPDP Annex and written updates from the Company to all concerned individuals shall include information on all types of monitoring and recording of information carried out by us, and the purposes behind our surveillance.
In relation to CCTVs, we shall place notifications of CCTV deployment in prominent locations within our office in order to enable individuals to have sufficient awareness of the CCTVs and to inform such individuals of the purpose for which we deploy CCTVs. The placement or content of the notifications need not reveal the exact location of the CCTVs.
For incoming voice calls, every individual who calls the Company shall be notified via an automated message, prior to the telephone conversation taking place, that his/her call may be recorded and what the purpose for recording is.
Duty to determine Accuracy and Completeness
We shall, as far as reasonably practicable, ensure that personal data collected by or on behalf of us is accurate and complete, particularly in the case where:
- an individual’s personal data is likely to be used by us to decide a matter that affects him/her, e.g. on-boarding a new client, or making a hiring decision; or
- we are likely to disclose such personal data to another organization, e.g. when assisting a client to open an account at a custodian bank.
We may presume personal data provided directly to us by concerned individuals is accurate in most circumstances. As best practice, our on-boarding and employment documentation process shall include a representation and warranty by all clients and employees, that the personal data provided by them is accurate and complete, as well as research where appropriate or legally required.
At the start of each financial year, the Compliance Officer shall review all data and take steps to verify that the personal data in our possession and under our control remains up to date and, if necessary, update the relevant data.
Retention of Personal Data
We shall not store any personal data on any prospective client, client, prospective employee, employee, business partner or any other person without having obtained the individual’s consent and only for purposes that the individual has been informed about, unless an exemption provided by statutory regulations, in particular in the PDPA and SFA04-N02, as indicated in this Policy applies.
We shall retain personal data for as long as it is reasonable to assume the need for retention, to fulfil the purposes for which such data was collected, our business purposes, or as is otherwise required under any applicable laws. This Policy is subject to our rights and obligations under applicable laws to ensure retention of records which may contain personal data as well as the Company’s archiving and records retention policies.
Notably:
- under the AML/CFT laws and regulations presently in force, we are required to retain records which may contain clients’ personal data for at least 5 years following termination of our business relations or at least 5 years following the completion of relevant client transactions (as applicable);
- under the Companies Act, we are required to retain accounting records which may contain personal data of individuals for at least 5 years from the end of the financial year in which the relevant transactions or operations are completed; and
- under the Income Tax Act and the Goods and Services Tax Act, we are required to keep our business records for a period of at least 5 years.
As soon as the expiry of (i) validity of the purposes for which personal data was collected; and (ii) all records retention obligations under applicable laws and our business needs, may be reasonably assumed, on approval by management and the Compliance Officer, we shall erase or destroy our documents and other media containing personal data, or remove the means by which the personal data can be associated with particular individuals.
Within 2 months of the end of each financial year, the Compliance Officer shall review all data in our possession or under our control for the purpose of identifying personal data that should no longer be retained. All data that contains personal data which should no longer be retained shall either be destroyed or any personal data therein erased.
In the event of extenuating circumstances which require us to retain certain personal data beyond its usual retention timeframe, e.g. if the client is involved in an on-going AML/CFT investigation, or if the Company is engaged in an legal dispute, we shall preserve such data as long as is reasonably necessary, such as until the AML/CFT investigation is concluded or the legal dispute is settled. In such cases, the Compliance Officer shall maintain a list of the data to be preserved and notify management of the extended retention.
In the case of a contemplated business asset transaction, should personal data of the employees, clients, directors, officers or shareholders of the prospective counterparty have been collected, and such business asset transaction did not proceed or complete, we shall destroy, or return to the prospective counterparty, all such personal data collected.
Use
We shall not use any personal data on any prospective client, client, prospective employee, employee, business partner or any other person without having obtained the individual’s consent and only for purposes that the individual has been informed about, unless an exemption provided by statutory regulations, in particular in the PDPA and SFA04-N02, as indicated in this Policy applies.
Prohibition Against Cold Calling or Any Other Similar Marketing Technique
We do not engage in the cold calling strategy for lead generation or to make unsolicited offers, in any other similar manner or via any other similar medium including text messaging, of our services or any of our products (if applicable).
Disclosure
Generally, we shall not disclose any personal data on any prospective client, client, prospective employee, employee, business partner or any other person without having obtained the individual’s consent and only for purposes that the individual has been informed about, unless an exemption provided by statutory regulations, in particular in the PDPA and SFA04-N02, as indicated in this Policy applies.
We shall, as far as reasonably practicable, verify that the transmission of the personal data is secure and that the receiving party employs the necessary security measures.
For disclosure of data to parties outside of Singapore, please refer to Transfer to Other Jurisdictions.
Who We May Disclose Clients’ Personal Data to
Generally, we shall protect and keep confidential personal data of our clients and prospective clients. However, subject to applicable laws, we may disclose such personal data for the purposes set out in the PDP Annex to parties such as those set out below:
- our group companies;
- banks, financial institutions, credit card companies and their respective service providers;
- companies providing services relating to insurance and/or reinsurance to us, and associations of insurance companies, including the Life Insurance Association Singapore;
- agents, contractors or third party service providers who provide services to us such as telecommunications, call centre, mailing, information technology, payment, payroll, data processing, training, market research, storage and archival;
- our professional advisers such as our auditors and lawyers; and
- regulators and authorities.
Who We May Disclose Current, Prospective or Former Employees’ Personal Data to
Without limitation, parties to whom current, former or prospective employees’ personal data may be disclosed include:
- other group companies;
- vendors, landlords, agents and representatives;
- regulators, authorities, professional bodies;
- other financial institutions; and
- employees’ representatives.
Access to Personal Data, Correction of Personal Data and Withdrawal of Consent
Request for Access to Personal Data and/or Correction of Personal Data
Any individual may request us in writing to grant him/her access to his/her personal data and/or to correct an error or omission in his/her personal data.
The Compliance Officer shall first identify the person making the request and ensure that this person is authorised to access the personal data, in particular personal data regarding clients and prospective clients.
Access to Personal Data
The Compliance Officer shall collect the personal data to which access is requested. He/She shall submit the collected data to senior management for consent before disclosing it to the applicant.
Generally, we shall, as soon as reasonably practicable and as accurately and completely as reasonably possible:
- provide the applicant with his/her personal data in our possession or controlled by us; and
- inform him/her about how we have or may have used or disclosed such data within 1 year of the date of such request.
Generally, we shall provide to the applicant the requested personal data and information on its use and disclosure within 30 days after receiving the request. If our response will take longer, the Compliance Officer shall inform the applicant in writing of the time by which we will respond to the request.
However, there are certain circumstances under which we may be prohibited from providing access or we may in our discretion, deny access requests.
For example, we are prohibited from providing an individual access if the provision of the data could reasonably be expected to:
- threaten the safety or physical or mental health of another individual;
- reveal personal data about another individual;
- reveal the identity of another individual who has provided the personal data, and the individual has not consented to the disclosure of his or her identity; or
- be contrary to national interest.
We may also at our discretion deny access requests to personal data if:
- it is opinion data kept solely for an evaluative purposes. For example, we need not provide access to records of the Company’s opinions formed about a potential employee in the course of interviewing him/her to determine suitability and eligibility for the position;
- the disclosure of the information would reveal confidential commercial information that could harm our competitive position; or
- it is related to an on-going prosecution or on-going investigation, in which case we may, if necessary, refuse to confirm or deny the existence of such personal data.
Where the individual is not to be granted access to portions of the personal data, we shall omit such data while still providing the individual access to the other personal data.
Correction
The Compliance Officer shall make efforts to verify if the requested amendments are true, accurate and complete. He/she shall submit his/her findings to senior management for consent.
If no good reason to the contrary is detected, the Compliance Officer shall correct the personal data as soon as practicable to do so and send the corrected data to every organisation to which we have, within a year of the date of such correction, disclosed the relevant data for legal or business purposes.
If other organizations notify us of corrections to be made to personal data in our possession or under our control, we shall make the necessary corrections as soon as practicable to do so, unless we have good reason to believe such correction should not be made.
In the case where we have good reason to reject making the requested amendments, we shall annotate the relevant personal data to reflect the amendments requested but not made.
We need not correct personal data on request if the request is in respect of opinion data kept solely for an evaluative purposes or data related to an ongoing prosecution.
Limited Exception: Access and Correction Requests from Clients
Where clients, prospective clients, individuals appointed to act on their behalf or persons holding executive powers at corporate clients are concerned, for purposes of complying with our AML/CFT obligations, we need not:
- provide any access to their personal data in our possession or under our control, or any information on how we may have used or disclosed such personal data; and
- correct any error or omission in such personal data,
except if they seek access to the following types of personal data:
- full name including any alias;
- unique identification number, such as identity card number, birth certificate number or passport number;
- existing residential address and contact telephone number(s);
- date of birth;
- nationality; or
- any other personal data supplied by them; or
they request to correct an error or omission in relation to these types of data, and we are satisfied that there are reasonable grounds for the correction request.
Withdrawal of Consent
At any time, by giving us prior written notice, an individual may withdraw any actual or deemed consent in respect of our collection, use or disclosure of his/her personal data.
On receipt of such notice of withdrawal we shall first highlight the consequences of withdrawal to the individual concerned even if those consequences have been set out somewhere else. Thereafter, should the individual still wish to proceed, we shall, as soon as is reasonably practicable, cease the collection, use or disclosure of such personal data. Concerned data intermediaries and third party service providers must also be informed of the withdrawal and we shall ensure that they cease collecting, using or disclosing such personal data for our purposes.
Despite withdrawal, we are not required to delete or destroy the personal data upon request and may continue to retain such data in accordance with this Policy. In particular, we shall retain personal data where we have a legal obligation to maintain records.
Likely Consequences of Withdrawal of Consent by Prospective Clients
In the event of notification by a prospective client of withdrawal of his/her consent, the sales representative shall advise such prospective client that we will discontinue the on-boarding process.
Likely Consequences of Withdrawal of Consent by Clients
In the event of notification by a client of withdrawal of his/her consent, the Sales Representative shall advise such client of the likely consequences of such withdrawal, including the probable limitation or cessation of the asset management and/or maid search services and/or product(s) we are able to provide to him/her.
Likely Consequences of Withdrawal of Consent by Prospective Employees
In the event of notification by a prospective employee of withdrawal of his/her consent, we shall advise him/her that we will discontinue the hiring process.
Likely Consequences of Withdrawal of Consent by Current Employees
Current employees are advised that in the event of such withdrawal of consent, we reserve the right to terminate the employment relationship, reassign such employees’ current responsibilities and/or transfer such employees to a different role. Moreover, salary payments and benefits may be delayed or may not be provided anymore.
Dispute
In the event an individual submits a complaint in connection with our handling of his/her personal data, the Compliance Officer shall acknowledge in writing the receipt of such complaint within 2 business days.
Within 10 business days, the Compliance Officer shall contact the individual to inform him/her that the Compliance Officer will conduct an investigation into the complaint. The Compliance Officer shall also provide the individual with an estimation of the reasonable timeframe for our investigations and resolution of the complaint. If the complaint requires more time beyond such estimation to resolve due to its complexity, the Compliance Officer shall inform the individual accordingly on or before the expiry of the original estimated timeframe.
The Compliance Officer shall then investigate the complaint and submit his/her findings to senior management for consent. The results shall subsequently be presented to the individual by the Compliance Officer as deemed appropriate.
In the event that the Compliance Officer’s investigations conclude with a solution that is dissatisfactory to the individual, the individual shall be directed to contact our management. The Chief Executive Officer shall acknowledge his/her complaint within 2 business days of such contact, review the complaint and original resolution and strive to provide a satisfactory closure to the individual within 10 business days.
In the unlikely event that the Company is unable to reach an agreement with the individual, we shall send him/her a final response and inform him/her of their right to refer the complaint to the Personal Data Protection Commission. Alternatively, mediation shall be suggested as a method of alternative dispute resolution.
Execution
Disclosure of Policy and Procedures
We shall provide to all concerned individuals information on our personal data protection policies and practices in the following manners:
- incorporating information on our personal data protection policies and practices in our legal documentation, such as the PDP Annex, the EPDP Annex;
- sending of letter updates to the concerned individuals informing of legal or policy updates to our personal data protection policies and practices;
- making available on our website dedicated information on our personal data protection policies and practices for any matter concerning the personal data of individuals, in particular our consent withdrawal procedures and our complaints procedure; and
- making the business contact information of our Compliance Officer publicly available information, via our website and our Company documentation, in order that concerned individuals may contact him/her to request for further information on our personal data protection policies and practices, resolve queries in this regard and/or submit a complaint in this regard. Such business contact information should be readily accessible from Singapore, operational during Singapore business hours and in the case of telephone numbers, be Singapore telephone numbers.
Officer in Charge of Personal Data Protection
Our Compliance Officer is our designated responsible person in charge of ensuring that the Company complies with this Policy and the PDPA at all times. He/She is also the point of contact for all matters related to personal data protection. Should any employee who is not the Compliance Officer receive requests from individuals concerning personal data protection, they are to forward these requests to the Compliance Officer immediately.
On request by any person, the Company shall provide him/her with the business contact information the Compliance Officer.
Personal Data Inventory Map
To facilitate the proper implementation of this Policy, the Compliance Officer shall, in conjunction with management, keep an up-to-date personal data inventory map which tracks in general terms what personal data is collected by the Company, the purposes for such collection, the channels of collection, the methods of collection, the location of storage of data, and who such data is disclosed to.
Remedial Plan
In the event the Compliance Officer becomes aware of a breach of this Policy, he/she shall immediately notify management of the breach and, in consultation with management, take all appropriate actions to remedy and/or mitigate the consequences of such breach to the extent possible.
Within 3 business days of such breach, the Compliance Officer shall commence an investigation into the circumstances of the breach and, if necessary, take disciplinary action against any employees who are culpable for the breach in accordance with this Policy and applicable laws.
Annual Review
At the end of each financial year, a review of personal data in our possession and under our control, this Policy and our execution thereof shall be conducted to:
- affirm that the collection, use and disclosure of the data is limited only to purposes that we have obtained consent for;
- affirm the classification of the personal data held by us to ensure that our employees, third party service providers and business partners are accessing such data only on a need-to-know basis;
- enhance our data security policies and security measures to ensure a consistently high level of security;
- affirm that contractual provisions are in place to ensure proper safeguards in respect of personal data disclosed to our third party data intermediaries; and
- affirm the work carried out by the Compliance Officer, in particular the proper removal of personal data which are no longer subject to any retention requirements.
Such review may be carried out either by management or by internal or external auditors.
Training
Management views the protection of personal data with utmost importance.
As employees of this Company, each member of our staff has the duty to familiarize themselves with this Policy and our personal data protection practices, and to carry out their duties in strict adherence with such policy and practices.
To facilitate this, the Compliance Officer shall, in consultation with management, carry out regular training sessions once every two years to train our employees on best practices for handling and protecting personal data in accordance with this Policy and the PDPA and strengthen their awareness of threats to security of personal data.
Transition
The Company may continue using personal data about an individual collected before 1 July 2014 for the purposes for which the personal data was collected unless:
- consent for such use is withdrawn; or
- the individual, whether before, on or after 1 July 2014, has otherwise indicated to the Company that he/she does not consent to the use of the personal data.
All existing clients and employees of the Company as of 2 July 2014 shall be required to indicate their consent to the Company’s collection, use and disclosure of their personal data for purposes described (i) in case of clients, in the letter entitled “Personal Data Protection Notification & Consent” (the “Consent”), or (ii) in case of employees, in the statement entitled “Consent to Our Processing of Your Personal Data” (the “Employee Consent”), by signing the letter or statement (as applicable).
The Compliance Officer shall review the Company’s current terms of engagement with the following:
- other group companies;
- other financial institutions; and
- all third party service providers involved in our business operations, such as agents, partners or data intermediaries;
to determine whether under the present terms of engagement, the Company remains in adherence with this Policy and the PDPA. Where amendments need be made, the Compliance Officer shall submit the proposed changes for management review and approval as soon as possible and reach out to the relevant counterparties to implement the necessary amendments.