Personal Data
Protection Policy

Action for AIDS Singapore (‘we’, ‘us’, ‘our’, etc.) respects the right of individuals to protect their personal data. This data protection policy:

gives you information about how we collect, use and disclose personal data about you
recognises both your right to protect personal data about you and our need to collect, use or disclose it for purposes that we believe are reasonable and appropriate in the circumstances of our charitable work and
applies to the personal data of all individuals (‘you’, ‘your’, etc.) who are:
our clients
- donors to us
- our employees, including volunteers
our members, members of the Management Committee, members of any committee(s) formed by us (including any committee(s) formed by our Management Committee) and any other similar individuals
- online users of our website

If you are not in any of these categories but we collect, use or disclose personal data about you in the course of our charitable work this data protection policy will apply to that personal data consistently with the way in which it applies to an individual in these categories. If you would like further information about the way in which we collect, use or disclose personal data about you, please do not hesitate to contact our Data Protection Officer (see 11 for contact information).

1. Definitions

‘client’ means any individual to which we provide our services. ‘donor’ means an individual who makes a one-off or occasional or regular financial contributions to us, either directly or indirectly ‘employee’ means any person employed by us on any basis and includes volunteers, members of our Management Committee and members of any committee(s) formed by us. ‘online users’ means anyone who accesses our website. ‘personal data’ means data, whether true or not, about an individual who can be identified:

from that data or
from that data and other information to which we have access or are likely to have access

‘publicly available’, in relation to personal data about you, means personal data that is generally available to the public, and includes personal data which can be observed by reasonably expected means at a location or an event:

at which you appear and
that is open to the public

‘services’ means the education, support and care and advocacy activities that we deliver in Singapore in connection with HIV/AIDS. ‘our website’ means our website at www.afa.org.sg.

2. Purpose(s) for us collecting, using or disclosing personal data

We collect personal data from donors, employees and other individuals and use and/or disclose that personal data so that we are able to provide our services efficiently and effectively and so that we can comply with our legal obligations. Where we obtain your express consent to us collecting, using or disclosing personal data about you (see 3.4), we will first notify you of the purpose(s) for which we collect, use or disclose that personal data. This notification might be more specific than the above statement.

3. Our collection, use and disclosure personal data

3.1 How we collect personal data about you

Where possible, if we collect personal data about you we collect it directly from you. We do this in various ways, including telephone and in-person meetings and interviews, forms and questionnaires.

3.2 Your option not to provide us with personal data about you

If at any time you would prefer not to provide some personal data that we request, either during a discussion or in one of our forms or questionnaires, please let us know. We will explain our purpose for collecting that personal data. If you still do not wish to provide it we will discuss with you whether or not we can proceed without it. We may not be able to do so.

3.3 Consent to us collecting, using or disclosing personal data about you

We collect, use, or disclose personal data about you only if:

you give (see 3.4), or are deemed to have given (see 3.5), your consent under the Personal Data Protection Act (PDPA) to us collecting, using or disclosing that personal data or
collection, use or disclosure by us of that personal data without your consent is required or authorised under the PDPA (see 3.6) or any other written law

3.4 Collecting, using or disclosing personal data about you with your consent

Where we ask you to consent to us collecting, using or disclosing personal data about you (see 3.3) we will first inform you of our purpose(s) for collecting, using or disclosing that personal data. We will do this on or before collecting the personal data. We will not use or disclose personal data about you for any other purpose(s) without first informing you of the additional purpose(s) and getting your consent to us using or disclosing it for the additional purpose(s). We may collect personal data about you from another individual or organisation (such as a hospital social worker) if you have given that other individual or organisation consent that allows it to disclose personal data to us. In that case, we will use or disclose personal data only for the purpose(s) for which the other individual or organisation disclosed it to us.

3.5 Collecting, using or disclosing personal data about you with your deemed consent

You are deemed to have consented to us the collecting, using or disclosing personal data about you for a purpose if:

without actually giving us express consent (see 4), you voluntarily provide the personal data to us for that purpose and
it is reasonable that you would voluntarily provide that personal data

For example, if you seek subsidised testing or treatment or pose for a photograph by our photographer at one of our events you are deemed to have consented to us collecting, using or disclosing the personal data about you that is in the referral or in the photograph (that is, your image). Where you are deemed to have consented to us collecting, using or disclosing personal data about you we will collect, use or disclose that personal data only for the purpose(s) for which you are deemed to have consented to us doing so.

3.6 Collecting, using or disclosing personal data about you without your consent

We are permitted by the PDPA to collect, use or disclose personal data about you without your consent in the following circumstances:

if it is publicly available or if it is business contact information
if there is an emergency
where the disclosure is related to law enforcement or where the collection, use or disclosure is in connection with certain legal issues

If you would like more information about the circumstances under which we may collect, use or disclose personal data without your consent, please contact our Data Protection Officer (see 11).

3.7 Collecting personal data from online users

If you browse our website, we do not currently capture any data that allows us to identify you.

4. Withdrawing your consent to us collecting, using or disclosing personal data about you

4.1 Your right to withdraw consent to us collecting, using or disclosing personal data about you

On giving reasonable notice to us, you may at any time withdraw any consent you have given (see 3.4), or are deemed to have been given under the PDPA (see 3.5), in respect of us collecting, using or disclosing personal data about you for any purpose.

4.2 How to exercise your right to withdraw consent

Any notice of withdrawal of consent (see 4.1) should be given in writing (which includes email) sent to our Data Protection Officer (see 11).

4.3 Our response when we receive your notice of withdrawal of consent

The consequences of you withdrawing consent (see 4.1) to us collecting, using or disclosing personal data about you for any purpose may be onerous for you. Therefore:

we may require you to provide proof of your identity to assure ourselves we are dealing with the correct person and
we will inform you in writing (which may be by email) of the likely consequences of withdrawing your consent for the specified purpose

4.4 Our actions when you withdraw your consent

If, after knowing the consequences of withdrawing your consent to us collecting, using or disclosing personal data about you for any purpose (see 4.3), you still wish to withdraw your consent:

we will cease (and cause any and all of our data intermediaries to cease) collecting, using or disclosing the personal data, unless doing so without your consent is required or authorised under the PDPA or other written law and
we will cease to retain our documents containing that personal data, or remove the means by which the personal data can be associated with you, as soon as it is reasonable for us to assume that retention is no longer necessary for our legal or business purposes

5. Access to and correction of personal data

5.1 Your right to request access and/or information

On request by you, we will as soon as reasonably possible provide you with:

personal data about you that is in our possession or under our control and
information about the ways in which we have, or may have, used or disclosed that personal data within a year before the date of your request

There are some circumstances where we are not required to provide you with information (see 5.5), where we are not allowed to provide you with information (see 5.6) and where we may be able to provide you with limited information (see 5.7).

5.2 How to request access or information

Any request by you for access to personal data about you and/or for information about its use or disclosure by us (see 5) should be made in writing (which includes email) sent to our Data Protection Officer (see 11).

5.3 Our request for proof of your identity

When we receive your request for access to your personal data and/or for information about its use or disclosure by us (see 5) we may require you to provide proof of your identity. This is intended to ensure that access to personal data about you and/or information about its use or disclosure by us is provided only to the correct individual. This is one of the ways we protect personal data about you.

5.4 How we provide you with access and/or information

We will provide you with personal data about you that is in our possession or under our control by providing you with a photocopy or a print out of it. If personal (for example, your name and address details) is duplicated across our databases or files, we will generally provide it once, rather than multiple times.

5.5 When we are not required to provide access or information

In some circumstances, the PDPA does not require us to give you access to your personal data or information about how we have, or may have, used it in within the year before your request (see 5). This includes the following circumstances:

if the request would unreasonably interfere with our operations because of the repetitious or systematic nature of requests from you
if the burden on, or expense to, us of providing access would be unreasonable or disproportionate to your interests
if the information does not exist or we cannot find it
if the information is trivial
if the request is otherwise vexatious or trivial
if we keep or may use the personal data in relation to an investigation or legal proceeding or for purposes otherwise related to legal issues – if you would like more information about this exception, please contact our Data Protection Officer (see 11)

5.6 When we are not allowed to provide access or information

The PDPA does not allow us to give you access to your personal data or information about how we have, or may have, used it in within the year before your request (see 5) in a range of circumstances. These include where our doing so could reasonably be expected to:

threaten the safety or physical or mental health of an individual other than you
cause immediate or grave harm to your safety or to your physical or mental health
reveal personal data about another individual
reveal the identity of an individual who has provided personal data about you and the individual providing the personal data does not consent to the disclosure of their identity

If we have disclosed your personal data to a prescribed law enforcement agency under certain circumstances the PDPA does not allow us to disclose to you that we have done so. If you would like information about the circumstances in which this prohibition applies, please contact our Data Protection Officer (see 11).

5.7 When we may provide limited information only

If we are able to provide you with access to your personal data and information about how we have, or may have, used it within the year before your request (see 5) without the personal data or other information that:

we are not required to provide to you (see 5.5) and/or
we are not permitted to provide to you (see 5.6)

we will provide you with access to your personal data and other information without the information that we are not required and/or permitted to provide to you.

6. Correction of errors in, or omissions from, personal data about you

6.1 Your right to request us to correct personal data

You may request us to correct an error or omission in the personal data about you that we hold or that is under our control. However, there are some circumstances where we do not make a correction (see 6.6) and other circumstances where we are not required to act on such a request (see 6.7).

6.2 How to make a request to correct personal data

Any request by you for us to correct an error or omission in personal data about you (see 6.1) should be made in writing (which includes email) sent to our Data Protection Officer (see 11).

6.3 Our request for proof of your identity

When we receive your request for us to correct an error or omission in personal data about you (see 6.1), we may require you provide proof of your identity and/or documents or other evidence supporting your request.

6.4 When we will correct your personal data

If you request us to correct personal data about you (see 6.1), unless we are satisfied on reasonable grounds that a correction should not be made, we will:

correct the personal data as soon as practicable and
send the corrected personal data to every other organisation to which we have disclosed the personal data within a year before the date we made the correction

However, we do not have to send the corrected personal data to every other organisation if that other organisation does not need the corrected personal data for any legal or business purpose

6.5 Where another organisation notifies us about corrected personal data

Another organisation that has disclosed your personal data to us (for example, a hospital social worker) might notify us that it has corrected personal data about you. If this happens, unless we are satisfied on reasonable grounds that we should not make the correction, we will correct your personal data that is in our possession or under our control.

6.6 Where we do not correct personal data about you

In any case where we are not satisfied that we should correct your personal data (see 6.4 and 6.5) we will:

write to you (which may be by email) to tell you why we have not made the correction and
annotate your personal data in our possession or under our control with the correction that was requested but not made

6.7 When we are not required to correct personal data

The PDPA sets out certain circumstances in which we are not required to correct your personal data. If you would like information about this exception or the other circumstances where correction is not required, please contact our Data Protection Officer (see 11).

7. Accuracy of personal data

We make reasonable efforts to ensure that personal data that we collect about you or that is collected our behalf is accurate and complete if:

we are likely to use that personal data to make a decision that affects you or
we are likely to disclose that personal data to another organisation

8. Protection of personal data

We take reasonable steps to ensure the security of personal data about you that is in our possession or under our control and to protect it against risks such as loss or unauthorised access, destruction, use, modification or disclosure. Only authorised personnel are permitted to have access to personal data about you.

9. Retention of personal data

We cease to retain documents containing personal data about you, or we remove the means by which the personal data can be associated with you, as soon as it is reasonable to assume that:

the purpose for which we collected that personal data is no longer being served by retention of the personal data and
retention is no longer necessary for legal or business purposes

10. Complaints procedure

10.1 Our commitment to handling complaints

We strive for excellence in providing services to our clients and in all our interactions with donors, and with our employees, as well as with the community generally. This includes our compliance with the PDPA.

10.2 How to make a complaint to us about our collection, use or disclosure of personal data about you

Please direct any queries or complaints you have about the way in which we collect, use or disclose personal data about you to our Data Protection Officer (see 11). Generally, we are unable to deal with anonymous complaints because we are unable to investigate them. If you raise a complaint anonymously we will nevertheless note the matter raised and, if possible, try and investigate and resolve it appropriately.

10.3 Providing details of the complaint

Whenever you make a complaint (see 10.2) our Data Protection Officer will seek to obtain sufficient information from you to enable us to investigate it. Please be prepared to provide our Data Protection Officer with information as to, for example:

the type of action, or lack of action, by us that has given rise to your concern
whether it was an isolated incident or is ongoing and, in the case of an isolated incident, when it occurred
a copy of any relevant correspondence you hold and
details about what you consider should have happened or should not have happened

10.4 Resolution of the complaint

Immediately upon receiving a complaint (see 10.2) our Data Protection Officer must investigate it and within two business days advise you of:

the outcome of the complaint and the reasons for that outcome or
write to you (which may be by email) advising you that the Data Protection Officer needs more time to investigate the complaint and stating when the Data Protection Officer expects to have resolved the complaint for you

The Data Protection Officer must in any event complete the investigation of your complaint within 10 business days.

10.5 Communicating the outcome of a complaint to you

If a complaint (see 10.2) is settled to your complete satisfaction, our Data Protection Officer is not required to advise you in writing of the outcome of the complaint, unless you request a written response (which may be by email). If a complaint is not settled to your complete satisfaction, our Data Protection Officer will advise you of the outcome of the complaint and the reason(s) for that outcome in writing (which may be by email). If you are not satisfied with the outcome, you may take your complaint to the Personal Data Protection Commission.

11. Data Protection Officer

We have appointed a Data Protection Officer. To raise any questions or comments you may have about the way we collect, use or disclose personal data and/or about any aspect of this data protection policy and/or to make a complaint about how we have collected, used or disclosed personal data about you, please contact our Data Protection Officer. To contact our Data Protection Officer:

send an email to DPO@afa.org.sg
call +65 6254 0212
write to us at 9 Kelantan Lane #03-01, Singapore 208628

12. Changes to this data protection policy

We reserve the right to review, amend and/or update this data protection policy at any time and from time to time. If we decide to make any changes to this data protection policy, we will post them on our website.

Personal Data Protection Policy