fbpx

A member of

Aefe Logo

Accueil > Personal Data Protection and Management

IFS Personal Data Protection and Management

The Personal Data Protection Act (“PDPA”) was passed into law by the Singapore Parliament on 15 October 2012. It is a baseline law and circumscribes the collection, use and disclosure of personal data by the International French School (Singapore) (“IFS” or “the School”), recognising the right of individuals to protect their personal data.

A Personal Data Protection Commission (“PDPC”) consisting of appointed members has been established to ensure the effective implementation of the PDPA.

IFS Personal Data Protection Policy

IFS protects data of students, parents, teaching / non-teaching staff and other individuals and embraces good practice in relation to maintaining and holding such data in accordance with the PDPA. This means keeping information securely with appropriate controls; ensuring that the individual’s consent is obtained as required by the PDPA; the individual is made aware of the purpose for which IFS is collecting, using and disclosing his/her data/information; and holding accurate information. IFS ensures that data is managed responsibly in the manner expected by the PDPA. 

The purpose of this Policy is to prescribe guidelines which enable IFS to comply with the PDPA in respect of the data we hold, i.e. in our possession or control about individuals; to embrace good practice in relation to maintaining and holding individual data; to protect IFS’ students, staff and other individuals whose data is held by IFS, and to protect IFS from the consequences of a breach of our responsibilities under the PDPA.
This Policy covers the collection, use, disclosure, processing, protection, storage, retention, and disposal of personal data in the possession or under the control of IFS.

Definition of Personal Data

Personal Data” as defined in the PDPA means “data, whether true or not, about an individual who can be identified from that data; or from that data and other information to which IFS has or is likely to have access”. In other words, any data that can identify a unique person either on its own (e.g. NRIC number) or in combination (e.g. Full Name and Home Address – because many people can have the same name).

Essentially, any data or information that has the ability to identify the individual concerned would constitute personal data of that individual.

The following categories of personal data are excluded for the purposes of PDPA obligations:

  • Business contact information used in a business-to-business context.
  • Personal data that is contained in a record that has been in existence for at least 100 years.
  • Personal data about a deceased individual who has passed away for more than 10 years.
  • Publicly available information, which is information that is lawfully made available to the general public 
  • Data which cannot be associated with an individual, or which has been anonymised.
Collection of Personal Data

When collecting any personal data from an individual, he/she must be informed of the purpose for which and how his/her data will be used, even when the data collection point is outside of Singapore.

Purpose Limitation 

Under the PDPA, IFS can only collect, use or disclose / transfer personal data about an individual for specific purposes that a reasonable person would consider appropriate in the circumstances; and for which the individual was notified on or before the data collection.

Notification of Purpose 

When collecting any personal data from an individual, the individual must be informed of the purposes for which and how such personal data will be used and/or disclosed.
IFS has included a statement of purpose (or “notice”) in contracts or forms used for collection of personal data, setting out how and for what purpose the information will be used. 

Consent

An individual is determined to have given consent for the collection, use or disclosure of his/her personal data when IFS informs the individual of:

  • The purposes for the collection, use or disclosure of the personal data, as the case may be, on or before collecting the personal data;
  • The business contact information of a person who is able to answer on behalf of IFS the individual’s questions about the collection, use or disclosure of the personal data, when so requested; and
  • The individual provided his consent for that specific purpose;
  • Or where the individual voluntarily provides the personal data to IFS for that purpose and it is reasonable that the individual would voluntarily provide such data.
Deemed Consent

Under certain circumstances as provided for in the PDPA, there could be deemed consent when individuals voluntarily provide their personal data to IFS after having understood the purpose (and it is reasonable for them to do so).

Consent on Behalf 

There could be instances where one Individual A acts validly on behalf of another Individual B in providing the latter’s personal data to IFS. For example,

  • Individual A is the parent or guardian of Individual B who is a minor
  • Individual A has been granted lasting power of attorney or court order to act on behalf of Individual B who is mentally incapable of making his/her own decision

Under such circumstances, there is no need to get consent directly from Individual B. However, IFS must ensure that Individual A can act validly on behalf of Individual B, and that Individual A is aware of the purpose(s) why IFS wants to collect the personal data of Individual B. 

Where Consent is not Required

The PDPA provides for certain circumstances (non-exhaustive, only those that are relevant to IFS) where there is no need to seek consent for the collection, use or disclosure of personal data:

  • Publicly available data
  • In the national interest (e.g. contact tracing during COVID-19)
  • In relation to data obtained from or disclosed to a public agency
  • To protect vital interests of individuals (e.g. responding to emergency, incidents affecting health or safety, contacting next-of-kin or friend of any injured, ill or deceased individual)
  • To recover a debt owed by the individual to IFS, or to pay to the individual a debt owed by IFS
  • For any investigation or court proceedings
  • For evaluative purposes (to determine the suitability, eligibility or qualifications of the individual to whom the data relates, e.g. for appointment, promotion or termination in employment)
  • Document produced in the course of the individual’s employment, business or profession
  • Entering into, managing or terminating an employment relationship or appointment
Treatment of Publicly Available Data

As a guide, as provided for under the PDPA, there is no need to get consent for the collection, use or disclosure of personal data that is generally available to the public.

Note that so long as the personal data in question was publicly available at the point of collection, IFS will be able to use and disclose the said data without consent, even if it may no longer be publicly available at a later time. 

Withdrawal of Consent

Individuals are entitled to withdraw their consent to IFS for collection, usage or disclosure of their personal data either fully or partially under PDPA.
Individuals need to submit to the DPO a form to withdraw their consent for specific purposes, via email. A distinction must be made between purposes necessary and optional to maintain existing business relationships.

Accuracy 

The PDPA requires IFS to make reasonable efforts to ensure that personal data collected by or on behalf of the school is accurate, complete and up-to-date. Care needs to be taken to ensure data accuracy.

In instances where the personal data is provided directly by the individuals themselves, IFS has a clause in the form for these individuals to self-declare that the personal data provided by them is accurate, complete and up-to-date.

Retention of Personal Data

The PDPA does not prescribe the retention period of personal data. However, IFS has put in place a Document Retention and Disposal Policy with specified retention periods that commensurate with legitimate business or legal purposes. Once the retention period expires, IFS shall take reasonable effort to dispose of or destroy the documents (both paper and electronic) containing personal data as soon as it is reasonable.

Certain personal data may be retained beyond the specified retention period if such data is required for analytics, research or statistical purposes, by anonymising the data through the removal of unique identifiers that are associated with individuals.

Access to Personal Data

An individual is entitled to access the complete set of his personal data held by IFS or information on how IFS has been using or disclosing such data over the past one year, by completing a specific form. Under the PDPA, IFS is obligated to provide the requested data as soon as reasonably possible, unless it falls into an exception under Section 21 or the Fifth Schedule to the PDPA, where IFS is not obliged to provide the individual with access to his/her personal data.

In a situation where a third party is making an access request on behalf of an individual, IFS should ensure that the third party has the legal authority to act on behalf of the individual.

Any personal data access request will be handled by the DPO or his/her delegate(s). An acknowledgement of the access request should be provided within the prescribed period, in an approved template. 

Prior to acting on any personal data access request, the DPO will make a reasonable effort to verify the requestor’s identity, or verify that the person making the request has been authorised to act on behalf of the individual concerned.

A notification of status of data access request should be provided within the stipulated timeline and within 30 days the requested information should be provided or a status update report should be provided to the requestor with an indicative timeline by which such requested information will be made available.

Under the PDPA, IFS is allowed to charge the requester a reasonable fee to process the data access request. Such a fee should be standardised across IFS.

IFS may reject the data access request based on reasonable grounds.

If IFS intends to reject an access request, the school should inform the requester about the reasons why the request is rejected.

CCTV footage: The Access and Correction Obligation also applies to personally identifiable information on video footage captured by CCTV cameras. If the retention period of such video footage is three months due to the capacity of the recording equipment, then IFS is only obliged to retrieve the requested personal data up to three months. 

Correction of Personal Data

Individuals may request to correct an error or omission in the personal data held in possession of IFS. IFS is obliged to make corrections to such personal data, although certain exceptions exist under the Sixth Schedule to the PDPA.

Any correction request will be handled by the DPO or his/her delegate(s). An acknowledgement of the correction request should be provided within the prescribed period, in a template to be designed by the DPO. The DPO may require documentary proofs from the individual requesting the change, such as address proofs, before correcting the personal data.

A notification of status of data correction request should be provided within the stipulated timeline and within 30 days the corrected information should be provided or a status update report should be provided to the requestor with an indicative timeline by which such corrected information will be made available. 

Note that IFS is not allowed to charge any fee for the processing of the data correction request.

IFS can reject the data correction request if the school is satisfied on reasonable grounds that the correction should not be made. As a good practice, IFS should annotate the reasons in the records and explain to the requester why the correction should not be made.

Dealing with Data Protection Incidents

IFS will manage data protection incidents in accordance with the process set out in IFS Data Breach Management Policy. As part of this process, we require all our staff members to follow specific guidelines on reporting data incidents, including completing a data incident form which we will investigate and log.

DPO 
  • To access IFS Data Protection Notice for Parents & Students, please click here >> 
  • To access IFS Data Protection Notice For Employees, please click here >>
  • To access IFS Data Protection Notice for Job Applicants, please click here >>

Under the Personal Data Protection Act 2012 (PDPA), individuals have the right to request access to and correction of their personal data as well as to withdraw their consent for the collection, usage and disclosure or transfer of their personal data.

To download IFS form to Request Access, Correction of Personal Data and/or Withdrawal of Consent, please click here >>

If you have any queries, please contact [email protected]

Share your opinion on the protection of personal data at IFS by completing this form  

Note: We encourage all parents to carefully review the student contract. This document contains important information, such as our commitment to protecting your child’s personal data in accordance with the PDPA.