Data Protection Policy

Personal Data Protection Policy (as of 1 June 2024)

  • Objective
    • Lions Home for the Elders (“Lions Home” or “the Home”) protects the confidentiality of its stakeholders, partners, employees, clients, residents and their caregivers. Personal data is treated in strictest confidence.
    • This Data Protection (DP) Policy ensures the management of data in Lions Home is in compliance with the Personal Data Protection Act 2012.
    • Purpose of Personal Data Protection Act 2012 (“PDPA”):
      To govern the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of the individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.
    • Personal Data is ascribed in the PDPA to mean “any data about an individual who can be identified from that data and other information to which the organisation has or is likely to have access”.
    • Personal Data shall include but not limited to the following:
      • Personal particulars such as NRIC/FIN number, contact details, finance related information including credit card and banking account; thumb-print; Iris image; DNA profile; or
      • Medical records; or
      • Social and family background; or
      • Information in either physical or electronic form. It includes images captured by CCTV cameras within Lions Home premises.
  • Scope
    • The DP policy outlines how Lions Home collects, uses, discloses and manages the personal data of the individual.
    • Data Protection Provisions (Parts III to VIB) in the PDPA do not apply to:
      • Any individual acting in a personal or domestic capacity;
      • Any employee acting in the course of his/her employment with an organisation (unless they are accountable for egregious mishandling of personal data);
      • Business contact information; and
      • Any public agency.
  • Definition of Key Terms
    • Business contact information (BCI) - It is defined in the PDPA as “an individual’s name, position name or title, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his/her personal purposes”. Parts III to VIA (Data Protection Provisions) of the PDPA do not apply to BCI. The definition of business contact information is dependent on the purpose(s) for which such contact information is provided by an individual.
    • Collection - Actions through which an organisation obtains control over or possession of personal data.
    • Data Intermediary (DI) - It is defined as an organisation that processes personal data on behalf of a Data Controller (DC) pursuant to a contract. Only the Protection Obligation, Retention Limitation and Data Breach Notification Obligation apply in relation to the processing of personal data by a DI:
      • On behalf and for the purposes of another organisation; and
      • Pursuant to a contract which is evidenced or made in writing;
      • The other organisation has the same obligations under the PDPA in respect of personal data that is processed on its behalf and for its purposes by a DI as if the personal data were processed by the organisation itself.
    • Disclosure - Actions by which an organisation discloses, transfers or makes available personal data that is under its control or in its possession to any other organisation.
    • Individual - A natural person, whether living or deceased. Not data relating to corporate bodies and other entities.
    • Organisations - Any individual, company, association or body of persons, corporate or unincorporated, whether or not formed or recognised under the law of Singapore, or resident, or having an office or a place of business, in Singapore.
    • Processing - It is the carrying out of any operation or set of operations in relation to the personal data, such as:
      • Recording;
      • Holding;
      • Organisation;
      • Adaptation or Alteration;
      • Retrieval;
      • Combination;
      • Transmission;
      • Erasure; or
      • Destruction.
    • Publicly available - Refers to personal data (about an individual) that is generally available to the public, including personal data which can be observed by reasonably expected means at a location or an event at which the individual appears and that is open to the public. Personal data is generally available to the public if any member of the public could obtain or access the data with few or no restrictions.
    • Purpose - Refers to objective or reasons.
    • Reasonable - Organisation should take into consideration the circumstances it is facing and determine what would be the appropriate course of action to take in order to comply with its obligations, based on what a reasonable person would consider appropriate. A “reasonable person” is judged based on an objective standard and can be said to be a person who exercises the appropriate care and judgment in the particular circumstances.
    • Use - Actions by which an organisation employs personal data (may involve collection or disclosure that is necessarily part of use).
  • Accountability
    • Lions Home has appointed a Data Protection Officer (DPO) who is responsible to oversee the management of data and ensure its compliance to PDPA. He/She is supported by the Heads of Department (HODs) whose role is to execute the DP strategy at the operations.
    • The DPO is the point of contact for data protection incidents and/or any query on Lions Home’s Personal Data Protection Policy and Procedures. The roles of the DPO are as follow:
      • Driving the development and review of data protection policies and processes;
      • Ensuring compliance with the PDPA through data protection policies and processes;
      • Fostering a personal data protection culture within the organisation and communicating the organisation’s personal data protection policies to stakeholders;
      • Identifying and alerting management to any risk that might arise with regard to the personal data handled by the organisation;
      • Handling access and correction requests to personal data;
      • Managing personal data protection-related queries and complaints; and
      • Engaging with the PDPC on personal data protection matters, if necessary.
    • The DPO uses the PDPA Assessment Tool for Organisations (PATO) as the tool to get a high-level report on the implementation status of the Home’s data protection measures to identify possible areas for improvement and develop a Data Protection Management Programme to address the issues.
    • Lions Home reviews our PDPA policies every two yearly to ensure their relevance or when there are changes to the Home’s business operations or changes to the Act.
    • The DPO reports to the senior management of the Home on all PDPA related matters. His/Her contact details is also published on the Home’s website so that clients of the Home can make request or queries relating to their personal data.
  • The Consent, Purpose Limitation and Notification Obligations
    • The Home shall notify the individual of the purpose for the collection, use and disclosure of his/her personal data and obtain his/her consent unless the following exceptions apply (non-exhaustive):
      • the Collection or Use or Disclosure is necessary and clearly in the interest of the individual, consent cannot be obtained in a timely way or the individual would not reasonably be expected to withhold consent; or
      • the Collection or Use or Disclosure is necessary in an emergency that threatens the life, health or safety of the individual or another individual; or
      • the Collection or Use or Disclosure is necessary in the national interest; or
      • the Collection or Use or Disclosure is necessary for the purposes of research, business improvement, public benefits and legitimate interests; or
      • the Collection or Use or Disclosure is necessary and the individual’s personal data is publicly available.
    • Legitimate interests are the lawful interests of an organisation or another person, which the organisation has assessed to clearly outweigh any likely adverse effect to the individual. Examples of such legitimate interests include for evaluations, investigations or proceedings, or for recovering debts.
    • Business improvements include helping the organisation improves, develops or enhances its products and services or to help it better understand existing or prospective customers, so it can offer more personalised products and services. This exception can be used by entities in a group of companies who intend to share customer data within the group. However, it cannot be used for sending direct marketing messages, and organisations must obtain individuals' express consent.
    • Research purposes to enable organisations (e.g. commercial laboratories, institutes of higher learning, and market research companies) to conduct broader research and development that may not have any immediate application to their products, services, business operations or market.
    • The comprehensive list of the exceptions may be found in the First Schedule (Collection, Use and Disclosure of Personal Data Without Consent) and Second Schedule (Additional Bases for Collection, Use and Disclosure of Personal Data Without Consent) under the PDPA.
    • The Home shall assume the individual has given his/her deemed consent to the collection, use or disclosure of the personal data if he/she voluntarily provides his/her personal data to Lions Home or when the individual represents and discloses personal data about a relevant third party (dependent, spouse, children and/or parents).
    • If the individual lacks mental capacity, the Home shall obtain consent from the authorised next-of-kin (NOK) or legal guardian. For individual who has no NOK or legal guardian, the Head of Lions Home shall establish the collection, use or disclosure of personal data is in the best interest of the individual.
    • The purpose(s) for the collection of personal data shall include but not limited to the following:
      • Admission to Lions Home or enrolment into the Home’s clinical and community-based care services; or
      • Assessment of financials as part of the mandatory requirements; or
      • Evaluation of biopsychosocial and emotional needs; or
      • Application of grant and financial assistance from government agencies and/or philanthropic organisations; or
      • Collaboration with health and social care organisations in delivering seamless, holistic and integrated care services; or
      • Management of donations; or
      • Management of volunteers; or
      • Employment; or
      • Communications with stakeholders and partners on the happenings in the Home as well as soliciting for donations through appeal letters and other mediums; or
      • Regulatory and legal requirements.
    • New purpose to collect personal data will require new notification and consent from the data owner.
  • Access and Correction Obligation
    • Individuals can put forward their request in writing either through post or email to the DPO in order to access, correct or withdraw consent for the collection, use and disclosure of personal data.
    • Lions Home shall attend to requests for access or correction of personal data within 30 calendar days. If Lions Home is unable to provide access or correct the information within 30 calendar days, it shall inform the requesters in writing as to when they can expect to receive the information, or when they can expect to have their personal data corrected.
    • The Home shall respond accordingly based on the type and reasonableness of the request:
      • Access - Lions Home shall provide an individual with his/her personal data that is under the control of the Home and about the ways in which the personal data has been or may have been used or disclosed during the past 12 months. Lions Home may impose a reasonable fee for such request. However, the Home will not allow access if it:
        • threatens the safety or physical or mental health of another individual; or
        • causes immediate or grave harm to the safety or physical or mental health of the individual who made the request; or
        • reveals personal data about another individual; or
        • reveals the identity of an individual who provided personal data about another individual; or
        • contrary to national interest.
      • Correction - The Home shall amend an error or omission in a reported personal data in its possession. In addition, it shall notify organisations to which personal data was disclosed unless otherwise directed by the individual.
      • Withdrawal of Consent - The Home shall advise the individual that its ability to provide assistance, financial and/or any form of support, may be impeded as a result of the withdrawal of any consent given or deemed to have been given in respect to the collection, use and disclosure of personal data. Confidential Information required by law and the relevant authorities will be duly complied
        • For stakeholders, partners, donors and volunteers, they may exercise the option of withdrawal by notifying the Home of their intentions.
  • Accuracy Obligation
    • Lions Home shall ensure that the personal data collected is accurate and complete. It shall, where appropriate, take steps to authenticate the personal information collected.
    • If the personal data is collected from a third party source, Lions Home would obtain a written confirmation from the third party source that they had verified the accuracy and completeness of the personal data. If required, Lions Home may conduct an independent verification.
  • Protection Obligation
    • Lions Home shall protect personal data by making reasonable security arrangements such as administrative, physical and technical measures, to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
    • Lions Home conducts regular checks on the protection measures (such as IT Systems Availability & Security and Data Confidentiality) to ensure that they are in place and effective.
    • When engaging data intermediaries, Lions Home would ensure that the service agreements impose sufficient obligations to ensure the organisation’s own compliance with the PDPA.
    • All new and existing staff receive regular training on PDPA and cybersecurity so that they are well apprised and updated on the proper procedures for protecting, processing and sending personal data.
  • Retention Limitation Obligation
    • Lions Home shall retain the documents containing personal data in accordance with the regulatory and operational obligations.
      • Project files and Printed Records - Printed records containing personal data are archived for a period of years. Thereafter, where the information is obsolete or not required, printed records shall be destroyed:
        • Clincal - 15 years
        • Corporate Communications - 5 years
        • Finance - 6 years
        • Human Resource - 5 years
        • Public / Social Welfare - 15 years
    • The Home shall conduct a review of personal data every two yearly to determine if the personal information stored is still needed to serve its purposes.
  • Data Breach Notification Obligation
    • Lions Home has measures in place to monitor and take pre-emptive actions before data breaches occur.
    • Lions Home has a management plan in place that documented its personal data breach management process. The plan included the following activities:
      • Containing the breach;
      • Accessing risk and impact;
      • Reporting the breach; and
      • Evaluating the response and recovery to prevent future breaches.
    • When a breach of personal data is established, Lions Home will activate its response plan according to its policy on Personal Data Protection Act (PDPA) - Managing Data Breaches.
    • To familiarise the data breach management team, senior management, and staff on the data breach management plan, the Home would run simulated exercises on possible data breaches. With the exercises, the organisation would be better placed to manage any data breach which may happen.

Mr Christopher Teo
Deputy Chief Executive Officer
Data Protection Officer

For enquiries on personal data protection, please email lhe.pr@lionshome.org.sg