The Personal Data Protection Act 2012 (PDPA) established a new overarching Singapore regime for the protection of personal data and seeks to ensure that organisations comply with a baseline standards of protection for personal data of individuals
There are two key parts of the PDPA:
- Protection of an individual’s “personal data”, i.e. data, whether true or not, about an individual which can be identified from that data or other information available or accessible by that organization. The protection covers personal data stored in electronic or non-electronic form.
- Establishment of a Do Not Call Registry (DNC Registry) for individuals to opt-out from receiving certain types of marketing messages
Meiji Seika (Singapore) Pte Ltd (Organization) is committed to compliance with the PDPA. As an employee of the Organization (Staff), you have to be familiar with the guidelines in this document as it describes the responsibilities in connection with any personal data that may be collected, used and disclosed with your role within the Organization.
You should read, understand and comply with the provisions of the Personal Data Protection Policy (Policy). If you have any questions regarding this policy, please contact the Data Protection Officer (DPO) at dpo@meiji.sg.
Where Staff fail to comply with this Policy, they may be subject to consequences described in the relevant Code of Conduct governing employees.
This Policy may be updated from time to time.
What is personal data?
Please regard any data which you can relate to a specific identifiable individual, whether such individual is identifiable from the data itself or from other information which is reasonably available to the Organisation, as being “personal data”. The only exception to this is the following information provided to you in your business capacity, which you collect, use and disclose in your business capacity or for a business purpose of the:
- Name;
- Position name or title;
- Business telephone number;
- Business address;
Business electronic mail address;
Business fax number; and - Other similar information provided to you in your business capacity (e.g. such as contained on business cards you collect or provided pursuant to contracts signed between an entity and a third party).
By way of example, all of the following is personal data:
- NRIC/passport number;
- Photograph or video image of an individual; and
- Name and address or phone number.
Please seek the assistance of the DPO if you are unsure whether any specific information is “personal data”.
Further general information on PDPA is available at http://www.pdpc.gov.sg/.
Approach to PDPA compliance
As far as possible, the Organisation will seek to obtain consent from the relevant individual, for the Organisation’s collection, use and disclosure of such individuals’ personal data. As a matter of general practice, the Organisation believes that this is a better approach than relying on exceptions or exclusions in the PDPA.
A comprehensive public data protection policy is in place for reference by our customers. The public data protection policy will be provided upon request.
Details on what personal data is collected, and the general scope of consents which would have been obtained (i.e. the purposes for which use and disclosure is acceptable) are set out below.
Note on the collection of personal data
There are established mechanisms through which the Organisation collects personal data which have been vetted for compliance with the PDPA. Such mechanisms are set out exhaustively below:
- From standard hardcopy forms, and documents attached to such forms, when completed;
- Through customer service hotlines or email address;
- From visitor sign-in books;
- From CCTV cameras deployed by the Organisation; and
- From the Organisation’s employees, prospective employees or human-resource service providers.
Where you are responsible for collecting information through any of the mechanisms above, please ensure that the personal data you collect is accurate and complete. This will be accomplished if you comply with the relevant internal process for that collection.
You should not regularly be collecting personal data from Staff or customers except through one or more of these mechanisms. If you would like to establish a new mechanism for collection of personal data, or to amend any existing standard document used for collection of personal data please ensure that it is in compliance with the PDPA. If in doubt, you may seek the assistance of the DPO.
The Organisation also expects that from time to time you will receive personal data through email, or on the phone. Please use and disclose such personal data only for the purpose for which it was provided to you. You should not be storing or creating a database of such personal data. If you would like to establish a storage mechanisms or database for storing any such personal data, please seek the assistance of the DPO to ensure compliance with the PDPA.
Before using or disclosing personal data
Prior to using or disclosing any personal data, you must:
r to using or disclosing any personal data, you must:
- Check that the personal data you are using or disclosing is listed in paragraph 7 or paragraph 8; and
- Confirm that the purpose for which you are using or disclosing that personal data is listed in the corresponding “permitted purposes” column in paragraph 7 or paragraph 8.
Marketing through the voice calls, SMS or fax
“Specified messages” must not be sent by or on behalf of the Organisation through voice calls, text message (e.g. SMS/MMS) or fax. “Specified messages” generally include any message which objectively may be considered to be advertising, promoting or offering goods, services, business or investment opportunities, advertising or promoting any suppliers or providers of such items. While “specified messages” do not include business-to-business marketing messages, it has been determined that none of the services provided by the Organisation, will not be marketed, advertised, promoted, or offered to any person by or through a voice call, text message or fax, except by authorised personnel to conduct telemarketing as described in paragraph below.
If you are the authorized, you may use personal data of the individuals stored in the marketing database (designed to include only individuals who have requested to receive such marketing) to market, advertise, promote or offer the Organisation’s products and services through voice calls, text messages or faxes to individuals.
If you are planning on sending any “specified messages”, unless you are authorised personnel sending messages to numbers listed in the marketing database, please seek assistance from the DPO.
Personal data of Staff
The Organisation collects, uses and discloses personal data of Staff for purposes as listed in Appendix 1. You agree to such collection, use and disclosure of your personal data by the relevant member(s) for each of the purposes and that you have been notified that your personal data will be collected, used and disclosed for each of the purposes as described in Appendix 1.
If for any reasons you become aware that any of your personal data is inaccurate or could be updated, please let Human Resource Department know.
If you have any questions regarding the use of your personal data by the Organisation or you would like to exercise your right to access or correct your personal data, please contact our Human Resource Department.
Personal data of customers
The Organisation collects, uses and discloses personal data of customers for purposes as listed in Appendix 2.
While the Organisation has obtained relevant consents from its customers for the use and disclosure of their personal data for the purposes as described in Appendix 2, consent has not been obtained for any other use of data. In any event, the personal data of customers should only be used and disclosed on a “need to know” basis.
If in your use or disclosure of the personal data of customers, you notice that such data is inaccurate or incomplete, please inform the relevant party owning and maintaining the personal data.
Please refer all questions, requests or questions from the Organisation’s customers relating to use of personal data to the DPO.
Interface with Document Retention Protocol
Data must be retained in accordance with the Organisation’s Document Retention Protocol and disposed of/destroyed when it is no longer required for any business or legal purpose.
Appendix 1
Personal data of the Organisation’s Staff.
Type of Personal Data | Purpose |
Personal data of employees | For managing or terminating the employment or other relationship between the Organisation and the employee;To evaluate the employee;To fulfill internal audit requirements;For payroll arrangement;To arrange for employment benefits/privileges to be offered to the employee;To use employee’s details or those nominated contact on business continuity/disaster recovery contact list;To confirm the employee’s contact in the context of security clearances authorisation granted;To make disclosures as permitted or required by applicable law such as in connection with investigations;To respond to queries the employee or the employee’s authorised representatives may have to manage disputes;To apply for insurance policy. |
CCTV Footage | To maintain security of the Organisation’s office premise |
Appendix 2
Personal data of the Organisation’s customers.
Type of Personal Data | Purpose |
Personal data of customers | For processing any applications or requests for new services made by the customer; For the daily operation of the services provided to customers; For administrating or managing the relationship between the Organisation and the customer;For conducting identity checks;To complying with any law or the requirements of any regulatory authority;To respond to customer enquires;To obtain feedback from customers;For fulfilling internal audit requirements to compile information for analysis and in reports to regulatory agencies;To make disclosure to related organisations, agent, contractor or third party service provider who provides administrative, telecommunications, computer, payment, debt collection or clearing, data processing or other services to the Organisation in connection with the operation of its business. |
Note: Use of data for the purposes include disclosure between the Organisation, to third parties who provide services to the Organisation and further collection, use or disclosure by such parties of such data for such purposes. If you are establishing a new method of disclosure or if you are unsure whether you may use such data, please seek assistance from the DPO.