CITY HARVEST COMMUNITY SERVICES ASSOCIATION Data Protection Policy
1. Introduction
City Harvest Community Services Association (“CHCSA”, “we”, “us” or “our”) is committed to protecting the personal data of all individuals in accordance with the Singapore Personal Data Protection Act 2012 (Act 26 of 2012) (“PDPA”), including the latest amendments introduced under the Personal Data Protection (Amendment) Act 2020. This policy outlines the principles and practices CHCSA adopts in collecting, using, disclosing, storing, and disposing of personal data. Through this policy, CHCSA aims to safeguard the privacy of individuals, maintain accountability, and foster trust among its stakeholders. It is applicable to all persons employed by CHCSA (whether full-time, part-time, contract staff and temporary staff), contractors, sub-contractors, authorized third party commercial service providers and/or any personnel who are involved in the handling of personal data within CHCSA.
2. Personal Data
Personal data means “data, whether true or not, about an individual who can be identified (a) from that data; or (b) from that data and other information to which the organization has or is likely to have access.” This includes, but is not limited to, names, contact details, NRIC numbers, photographs, and other identifying information. CHCSA collects personal data only when it is necessary and appropriate for service provision, outreach activities, volunteer management, donations, or other organisational purposes.
3. Collection of Personal Data
Prior to collecting, using, or disclosing personal data about an individual CHCSA ensures that individuals are notified of the purposes and that proper consent is obtained—unless consent is deemed or an exception under the Personal Data Protection Act (PDPA) applies. CHCSA should consider:
a) Whether the individual (or a person who has the legal authority to validly act on behalf of the individual) had been notified of the purposes for the collection, use or disclosure of his personal data and had given consent to such collection, use or disclosure;
b) If consent had not been given, whether consent can be deemed to have been given by the individual (or a person who has the legal authority to validly act on behalf of the individual) for the collection, use or disclosure of his personal data for the purpose; andc) Whether the collection, use or disclosure without the consent of the individual is required or authorised under the PDPA or any other written law, in particular, assessing whether the circumstances fall within any of the exceptions from the Consent Obligation in the Second, Third or Fourth Schedules to the PDPA.
d) Whenever if the data is collected via a third party such as referral agencies, the personal data is collected in accordance with the relevant data protection laws and regulations. CHCSA will ensure that proper consent has been secured before using such data. In certain exceptional cases—such as emergencies, legal obligations, public agency requirements, or business improvement needs—personal data may be collected, used, or disclosed without consent, as allowed under the Personal Data Protection Act (PDPA).
All forms that are used to collect personal data shall include statements indicating the purpose of such collection.
4. Consent, Purpose, Disclosure of Personal Data
CHCSA is committed to collecting, using, and disclosing personal data in a responsible and transparent manner. This applies to all individuals whose data we collect, including employees, donors, members, event participants, volunteers, or any other persons engaging with CHCSA. Before any personal data is collected, individuals are informed of the specific purpose.Only the personal data necessary for the intended purpose is collected—CHCSA avoids collecting excessive or unnecessary information.
In some cases, CHCSA may rely on deemed consent, such as when individuals voluntarily provide their data for a clear purpose, and it is reasonable to assume they understand and agree to it. CHCSA may also rely on deemed consent by notification, which involves conducting an internal assessment to ensure there is no likely adverse effect on the individual. In such cases, CHCSA will inform individuals of the intended use of their data, the purpose, and how they can opt out within a reasonable time. Where there is uncertainty, actual consent will be obtained to avoid disputes.
If CHCSA needs to use or disclose personal data for a new or different purpose that was not originally communicated, fresh consent must be obtained. Only those who provide consent will be included in the new purpose.
CHCSA strictly limits the use and disclosure of personal data to the stated purposes unless an exception under the Personal Data Protection Act (PDPA) applies. These principles ensure that all personal data is handled in accordance with the law and with respect for the privacy of individuals.
5. Withdrawal of Consent
You may withdraw their consent—whether previously given or deemed—at any time by submitting a written request to CHCSA. Upon receiving such a request, CHCSA will inform the individual of the potential consequences of the withdrawal. While CHCSA will not prevent anyone from withdrawing consent, the withdrawal may affect CHCSA’s ability to continue providing certain services or support, and any legal obligations arising from the original consent will remain.
If the request is made on behalf of another person, the requester must also provide the full details of that individual. CHCSA will only process requests related to a person’s own data or, where applicable, for data processed on behalf of another organisation—not third-party individuals or unrelated organisations.
All valid withdrawal requests will be processed within 10 business days. CHCSA will also notify any third parties to whom the personal data had been disclosed and instruct them to stop using or sharing the data, unless otherwise permitted under the Personal Data Protection Act (PDPA) or other applicable laws. If more time is required to complete the process, CHCSA will inform the individual of the expected timeline.
Once withdrawal is confirmed, CHCSA and its agents will cease any further collection, use, or disclosure of the personal data, unless required or authorised by law.
6. Exceptions For Collection, Use Or Disclosure Of Personal Data Without Consent
While CHCSA generally requires consent for the collection, use, or disclosure of personal data, there are certain exceptions under the Personal Data Protection Act (PDPA) where consent is not necessary. These include situations where data is disclosed in an emergency to protect an individual’s life, health, or safety, or where the use of personal data is necessary for evaluative purposes—such as determining eligibility for financial or social assistance under a public scheme.
Consent is also not required for data that is publicly available or when personal data is disclosed to or by a public agency. In addition, the PDPA permits the use of personal data without consent for business improvement purposes, such as enhancing or developing services, refining operational processes, understanding customer behaviour and preferences, or identifying and personalising services suitable for different individual profiles. These exceptions are applied responsibly and in accordance with legal requirements.
7. Managing Access and Correction Requests
Individuals have the right to request access to their personal data and to seek corrections if the data is inaccurate or incomplete. Upon receiving a written request, CHCSA will provide the individual with access to their personal data that is in our possession or control, as well as information on how it has been used or disclosed within the past year. We aim to respond as soon as reasonably possible, typically within 30 days. If more time is needed, we will notify you of the expected timeframe. A reasonable fee may be charged to cover the cost of processing the access request.
In some cases, access may be denied—for example, if it would reveal personal data about another person, compromise safety or investigations, or is deemed frivolous or excessive. If access is denied, CHCSA will inform the individual of the reason and retain a copy of the relevant data for at least 30 days, in case a review is requested.
For correction requests, you may ask CHCSA to update any errors or omissions in their personal data. If CHCSA is satisfied on reasonable grounds that a correction is needed, it will update the data promptly—normally within 30 days—and may, with consent, notify other organisations that received the incorrect data within the past year. Corrections will only apply to the individual’s own data, and information about other individuals will not be disclosed. If CHCSA decides not to make the correction, the reasons will be annotated in the record and explained to the individual.
8. Accuracy of Personal Data
We will make every reasonable effort to ensure that personal data collected by us or on our behalf is accurate and complete.
We generally rely on personal data provided by you (or your authorised representative). In order to ensure that your personal data is current, complete, and accurate, please update us if there are changes to your personal data by informing our Data Protection Officer.
9. Protection of Personal Data
CHCSA safeguards personal data in its possession or control by implementing reasonable security measures to prevent unauthorised access, use, disclosure, loss, or damage. To uphold data protection standards, CHCSA conducts regular staff training to promote awareness of proper data handling practices and potential security risks.
Only the necessary amount of personal data is collected and retained, and access is restricted strictly to authorised personnel on a need-to-know basis. Technical safeguards such as access controls on storage systems and secure configurations of equipment (e.g. printers and scanners) are in place. When personal data is transferred—whether electronically or physically—it is done securely, with sensitive files encrypted and passwords shared separately.
CHCSA also ensures printed documents containing personal data are collected immediately and not left unattended. Once data is no longer needed, it is securely destroyed using shredders or trusted disposal services, and never discarded in public bins. The organisation assigns trained personnel to oversee information security and maintain a high standard of compliance with the Personal Data Protection Act (PDPA).
10. Retention of Personal Data
CHCSA retains personal data only for as long as it is necessary to fulfil the purpose for which it was collected, or as required for legal or business reasons. Once the data is no longer needed, CHCSA will either securely dispose of it or remove any identifying details that link it to an individual.
Regular housekeeping is conducted to ensure that only relevant and necessary personal data is kept—this applies to both physical records and digital data stored in systems or databases. This practice helps to minimise data security risks and ensures compliance with the Personal Data Protection Act (PDPA).
11. Transfer of Personal Data
Unless for business-related needs, we generally do not transfer your personal data to other jurisdictions. However, if we do so, we will obtain your consent for the transfer to be made and we will take steps to ensure that your personal data continues to receive a standard of protection that is at least comparable to that provided under the PDPA, including entering into an agreement with the receiving party to accord similar levels of data protection as those in Singapore.
12. Data Breach Notification
In the event of a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, we shall promptly assess the impact and if appropriate, report this breach within three (3) calendar days to the Personal Data Protection Commission (PDPC). We will notify you when the data breach is likely to result in significant harm to you after our notification to PDPC. We may also notify other relevant regulatory agencies, where required.
13. Changes to this Policy
We reserve the right to make changes to this Policy at any time and all changes that have been made will be published here. Please check back frequently to view any updates or changes that have been made to this Policy.
14. Contact us
You may email our Personal Data Protection Officer at the below address:
Data Protection Offer
12 Pine Close
#01-85 Singapore 391012
Email: dpo@chcsa.org.sg
For general information about PDPA, please visit the Personal Data Protection Commission’s website at http://www.pdpc.gov.sg
It all begins with an idea. Maybe you want to launch a business. Maybe you want to turn a hobby into something more. Or maybe you have a creative project to share with the world. Whatever it is, the way you tell your story online can make all the difference.
Don’t worry about sounding professional. Sound like you. There are over 1.5 billion websites out there, but your story is what’s going to separate this one from the rest. If you read the words back and don’t hear your own voice in your head, that’s a good sign you still have more work to do.